1. Field of the Invention
The present invention relates to cryptographic techniques, and more particularly to systems for issuing and showing of DSA-like secret-key certificates that can be blinded only restrictively.
2. Description of the Prior Art
Secret-key certificate systems are described and claimed in U.S. Pat. No. 5,606,617, issued on Feb. 25, 1997, to the present applicant. Triples consisting of a secret key, a corresponding public key and a secret-key certificate on the public key can only be obtained by engaging in a certificate issuing protocol with a Certification Authority. The difference with the technique of public-key certificates, well-known in the art, is that pairs consisting of a public key and a secret-key certificate on the public key can be generated by anyone without the assistance of the Certification Authority.
Mechanisms for transporting digital signatures often require a Certification Authority of issue triples, consisting of a secret key, a matching public key, and a certificate of the Certification Authority on the public key. Of particular interest for privacy-protecting mechanisms for signature transport are so-called restrictive blind certificate issuing protocols, in which the receiver can blind the issued public key and the certificate, but not a predetermined non-trivial predicate of the secret key ("non-trivial" meaning that the predicate is at least one bit of information); this part of the secret key is invariant under any blinding operations that can feasibly be applied by the receiver, and hence the Certification Authority can encode information into it that cannot be altered. Restrictive blind certificate issuing protocols, and methods for applying them to privacy-protecting mechanisms for value transfer such as in particular off-line electronic cash, are described and claimed in U.S. Pat. No. 5,522,980 issued May 28, 1996, to the present applicant.
U.S. Pat. No. 5,521,980, issued May 29, 1996, and U.S. Pat. No. 5,606,617, issued Feb. 27, 1992, describe and claim restrictive blind certificate issuing protocols for secret-key certificates based on the Discrete Logarithm problem as well as on the RSA problem, both of which are believed in the art to be intractable. In particular the security of the described secret-key certificates and restrictive blind issuing protocols relies on the security of Schnorr digital signatures (see: Schnorr, C., "Efficient Signature Generation by Smart Cards," Journal of Cryptology, Vol. 4, No. 3, 1991, pp. 161-174), on the security of Guillou-Quisquater digital signatures (see: Guillou, L. and Quisquater, J., "A practical zero-knowledge protocol fitted to security microprocessor minimizing both transmission and memory," Lecture Notes in Computer Science 330, Proceedings of Eurocrypt '88, Springer-Verlag 1989, pp. 123-128), or on the security of other digital signatures with similar characteristics, commonly referred to in the art as Fiat-Shamir type digital signatures.
Most of the secret-key certificate issuing protocols described in U.S. Pat. No. 5,521,980, issued May 18, 1996, and U.S. Pat. No. 5,606,617, issued Feb. 25, 1997, are restrictive blind only when the issuing protocol is executed sequentially, in case different blinding-invariant numbers are involved. This means that the Certification Authority should send new initial information for a next execution of the protocol only after is has received a challenge number for the previous execution of the protocol, in case distinct blinding-invariant numbers are involved. To enable the Certification Authority to perform executions of the issuing protocol in parallel without any limitations, the inventive and generally applicable method described in Dutch patent application NL 9500584, filed Mar. 27, 1995, by the present applicant, can be applied, to immunize against attacks in parallel execution mode.
U.S. Pat. No. 5,606,617, issued Feb. 27, 1997, describes a secret-key certificate system based on DSA digital signatures (see: NIST, "Specifications for a digital signature standard (DSS)," Federal Information Processing Standards Pub. (draft), Aug. 19, 1991). However it is highly unclear how an issuer could issue these certificates by means of an efficient restrictive blind issuing protocol. A restrictive blind issuing protocol for certificates based on DSA digital signatures is not yet known in the art, and neither is a secure protocol for showing such certificates. Because DSA signatures have been standardized in the U.S., and the security of DSA signatures is not necessarily dependent on the security of Schnorr or other Fiat-Shamir type digital signatures, restrictive blind issuing certificate protocols and showing protocols based on DSA digital signatures are believed to be of considerable practical interest, especially if executions of the issuing protocol could be performed in parallel without limitation. Privacy-protecting mechanisms for value transfer based on such DSA-like certificates are likewise believed to be of practical relevance.